[API Proposal]: Add support for replay detection and out of sequence detection to NegotiateAuthentication #126334
Description
Background and motivation
WCF has bindings in .NET Framework which can use SPNEGO to initiate an authentication handshake and establish a secure session between client and server. It does this by directly capping the SSPI api's via P/Invoke. To bring this capability to .NET and make it cross platform, we would adopt the usage of NegotiateAuthentication. Some of the features of SSPI that WCF uses are not exposed by NegotiateAuthentication today.
WCF is able to do authentication in the open (using full Message security, not yet supported on .NET), not protected by TLS/SSL, it's important to prevent attacks that can be done with communication in the open.
SSPI has the ability to detect when payloads are being replayed when signing and/or encrypting the payload. This requires passing the request context flag ISC_REQ_REPLAY_DETECT. A second flag that WCF uses, which also helps against in the open attacks is ISC_REQ_SEQUENCE_DETECT. This detects signed/encrypted payloads from being played out of order.
The behavior of NegotiateAuthentication is to not set either flag.
API Proposal
namespace System.Collections.Generic;
public class NegotiateAuthenticationClientOptions
{
public bool DetectReplay { get; set; }
public bool SequenceDetection { get; set; }
}
public class NegotiateAuthenticationServerOptions
{
public bool DetectReplay { get; set; }
public bool SequenceDetection { get; set; }
}API Usage
var options = new NegotiateAuthenticationClientOptions {
Package = Negotiate,
TargetName = "host/myserver",
RequiredProtectionLevel = ProtectionLevel.EncryptAndSign,
DetectReplay = true,
SequenceDetection = true
};
var nego = new NegotiateAuthentication(options);Similar code would be used for the ServerOptions.
Alternative Designs
None that I can think of
Risks
No risks as default behavior would be identical to today. It would only affect those wanting to use the feature.